Compliance

Where's my Headcount? Hiring Pitfalls Unique to GRC Teams

Kerwyn Velasco
February 5, 2023

There has been lots of talk about a phenomenon known as The Great Resignation, back when the pandemic caused a significant disruption in America’s labor force. In 2021, more than 47 million people left their jobs in search of an improved work-life balance and flexibility, increased compensation, and a strong company culture. But fewer people realize that companies today – more than two years later – are still facing daunting challenges in filling their headcount. The US Chamber of Commerce’s report on the State of American Business 2023 indicates that there are over 10 million job openings in the US, but only around 6 million unemployed workers available to fill those jobs.

The Headache of Open GRC Headcount 

The plague of the missing headcount is being felt acutely in the GRC function. This seems illogical as geopolitical conflict, economic turbulence, and an endless number of high-profile data breaches have made cybersecurity a critical area for organizations worldwide. But even with a considerable demand for staffers, according to (ISC)2 Cybersecurity Workforce Study 2022, there is a gap of 3.4 million cybersecurity workers worldwide. Is there really such a massive shortage of talent? Not according to the study, which found that the main issues affecting companies’ inability to fill their headcount are related to areas fully within their control, such as not prioritizing cybersecurity, not sufficiently training staff, and not offering opportunities for growth or promotion. 

In fact, talent is currently readily available. Recent mass layoffs by tech giants like Amazon, Google, Twitter, and Meta have caused the market to be flooded with tech talent. So if talent is available, why is the GRC function having difficulty filling headcount? Let’s explore some reasons why. 

Scarcity of the Right Skills

Tech skills are tech skills, right? Not exactly, according to GRC professionals. There is a wide gap between having general tech skills and understanding the needs of InfoSec Compliance. According to the ISACA survey, one of the top skills gaps reported in today’s cybersecurity professionals is understanding security controls (34%). This means that even if tech talent is applying for the open positions, they do not have the right experience or technical know-how to take on a security Compliance role. Today’s InfoSec Compliance professionals need critical thinking skills. It’s not about showing up and turning the crank each day; it’s about recognizing where technology or automation can augment their role and free them up for a more strategic role.

New Role of Business Technologist

According to Gartner, 67% of CEOs want technology executed directly in their departments. This new trend has resulted in a new role: Business Technologists. Business Technologists are non-IT employees who deliver technical solutions directly to organizational business units. They identify a pain point and find low code/ no code solutions to address those pain points.

However, while Business Technologists may be the answer CEOs are looking for across many of their departments, this strategy may not be suitable for Security Compliance. The high risks inherent in security roles mean that hiring someone without the necessary security and Compliance experience may not be the right move for the organization.

The Emergence of Fusion Teams

Fusion teams comprise both technical and non-technical people who together deliver a solution or solve a problem for the organization. Gartner refers to these teams as “multidisciplinary teams that blend technology or analytics and business domain expertise and share accountability for business and technology outcomes.” Teams may include sales executives, compliance officer, domain experts, and product owners. This idea is similar to the concept of implementing centers of excellence within organizations to get the job done effectively. While fusion teams are still an emerging concept, in practice, they have not yet filtered to the GRC function just yet. 

So What is an Organization To Do?

If Security and Compliance professionals require specific skills, there is a lack of suitability of Business technologists, and the concept of Fusion Teams is not quite there yet, how can organizations better meet the headcount needs of the GRC function? 

Outsourcing: Hiring external professionals is always an option for organizations. However, outsourcing can be an uphill battle for GRC departments, as often outsourced talent are not familiar with the company culture, tech stack, etc. Organizations must rigorously scope every aspect of the position to ensure the right talent is hired. Companies should also invest in data tools that can reduce toil and then outsource other aspects of GRC, such as monitoring. 

Hire from within: Another option for GRC departments is to look to adjacent departments to fill open roles. People with a strong technical background and can be taught the ins and outs of Compliance. However, note that scanning resumes is not enough. These potential hires will need to be screened to ensure they have the critical thinking and soft skills necessary to make them a good fit for the GRC position. The ISACA survey findings underscore this point. It found that organizations with initiatives to train internal talent through rotating job assignments and mentoring were least likely to have headcount shortages.

Lessen requirements for entry: With the Big Tech companies contracting and a larger pool of tech labor available, maybe the time has come for organizations to lower their expectations and scoop up the talent who are well equipped to get the job done. For example, if academic degrees were previously a requirement for entry, perhaps now is the time to eliminate that prerequisite in favor of relevant experience that will help the organization scale to the next level. Or, if requiring a specific number of on-call hours seems to be a turn-off for many, maybe now is the time to eliminate that requirement in favor of a better work-life balance.

Automate where possible: Automation is becoming more popular in cybersecurity – according to the ISACA study, 57% of organizations have already adopted automation, and an additional 26% plan to adopt it in the future. While automation is unlikely to replace cybersecurity workers at any time in the foreseeable future, automating processes that are consistent and repeatable frees up staff to focus on more strategic tasks. This may reduce staffing shortage issues without requiring additional workers.

Historically, economic downturns and global challenges pave the way for some companies to capitalize on new opportunities. The current situation has opened the door for smaller enterprises to become winners by acquiring the right talent and skills more efficiently than ever. Will you be one of those organizations?

Kerwyn Velasco
Security and Compliance Nerd with 10 years GRC experience wearing all kinds of hats. He currently does marketing at anecdotes.

Our latest news

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Non eget pharetra nibh mi, neque, purus.